Security Accreditation Scheme

Increasing security, lowering business risks

The Universal Integrated Circuit Card (UICC) in mobile devices, and its applications and data play a fundamental role in ensuring the security of the network, the subscriber’s account and related services and transactions. To safeguard the integrity of UICCs, of Embedded UICCs (eUICCs) with remote provisioning capabilities, and of their applications and data, it is essential that the supplier environment and processes that are used to manufacture and/or manage UICCs and eUICCs are secure.

The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their UICC and eUICC suppliers, and of their eUICC subscription management service providers. Two schemes operate under SAS:

SAS for UICC Production (SAS-UP): This is a well-established scheme through which UICC and eUICC manufacturers subject their production sites and processes to a comprehensive security audit. Successful sites are awarded security accreditation for a period of one year, extending to two further years upon each successful renewal. This scheme has accredited some of the industry’s largest suppliers. GSMA also provides advice to its members on how to benefit from SAS-UP.

SAS for Subscription Management (SAS-SM): To ensure industry confidence in the security of remote provisioning for eUICCs, a related security auditing and accreditation scheme exists for the providers of eUICC subscription management services.

Both schemes benefits both suppliers and mobile operators in the following ways:

Advantages to suppliers

Demonstrates commitment to security and reduces risks for customers

Means fewer individual operator inspections

Provides certification from the world’s leading wireless industry representative body

Delivers a world-class security review of operations

Offers a uniform approach to security audits

Part of GSMA remote SIM provisioning compliance scheme for eUICC production and subscription management

Advantages to mobile operators

No need to spend money and time conducting individual audits

Audits are conducted by highly-qualified individuals at no cost to the operator

The scheme sets a rigorous security standard requiring a high-level of supplier commitment

The GSMA publicises supplier sites that gain accreditation under the scheme, highlighting to its members the benefits of acquiring UICCs, eUICCs and subscription management services from such sites. Accredited suppliers may use the special SAS supplier logo on their promotional materials, increasing visibility of their accredited status among mobile operators.

How to Apply

The Security Accreditation Scheme is open to all UICC and eUICC suppliers and providers of subscription management services, regardless of location, and the GSMA welcomes the participation of all interested parties.

For further information, or to register an interest in participating in SAS, contact the GSMA by completing an online form or sending email to sas@gsma.com.

Audit applications should be submitted to GSMA several months in advance to increase the likelihood of the SAS audit teams being available to conduct an audit on or near the dates requested by the auditee. As a guide:

Embedded UICC (also known as eSIM) is a UICC that supports “over the air” provisioning of an initial operator subscription and the subsequent change of subscription from one operator to another in accordance with GSMA specifications.